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Abstract 

Deterministic timed automata are strictly less expressive than their 
non-deterministic counterparts, which are again less expressive than those 
with silent transitions. As a consequence, timed automata are in gen¬ 
eral non-determinizable. This is unfortunate since deterministic automata 
play a major role in model-based testing, observability and implementabil- 
ity. However, by bounding the length of the traces in the automaton, ef¬ 
fective determinization becomes possible. We propose a novel procedure 
for bounded determinization of timed automata. The procedure unfolds 
the automata to bounded trees, removes all silent transitions and deter- 
minizes via disjunction of guards. The proposed algorithms are optimized 
to the bounded setting and thus are more efficient and can handle a larger 
class of timed automata than the general algorithms. The approach is im¬ 
plemented in a prototype tool and evaluated on several examples. To our 
best knowledge, this is the first implementation of this type of procedure 
for timed automata. 


1 Introduction 

The design of modern embedded systems often involves the integration of in¬ 
teracting components A and A that realize some requested behavior. In early 
stages of the design, A and A are high-level and partial models that allow 
considerable implementation freedom to the designer. In practice, this freedom 
is reflected in the non-deterministic choices that are intended to be resolved 
during subsequent design refinement steps. In addition, the composition of two 
components involves their synchronization on some shared actions. Typically, 
the actions over which the two components interact are hidden and become un¬ 
observable to the user. It follows that the overall specification / = A || A can 
be a non-deterministic partially observable model. However, for many problems 
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such as model-based testing, observability, implementability and language in¬ 
clusion checking, it is desirable and in certain cases necessary to work with the 
deterministic model. 

Many embedded systems must meet strict real-time requirements. Timed 
automata (TA) [5] are a formal modeling language that enables specification 
of complex real-time systems. In contrast to the classical automata theory, 
deterministic TA (DTA) are strictly less expressive than the fully observable 
non-deterministic TA (NTA) [3l fTHl 112] . whereas the latter are strictly less ex¬ 
pressive than TA with silent transitions (eNTA) [5]. This strict hierarchy of 
TA with respect to determinism and observability has an important direct con¬ 
sequence - NTA are not determinizable in general. In addition, due to their 
complexity, it is rarely the case that exhaustive verification methods are used 
during the design of modern embedded systems. Lighter and incomplete meth¬ 
ods, such as model-based testing [15] and bounded model checking [8| are used 
in practice in order to gain confidence in the design-under-test and effectively 
catch bugs. 

In this paper, we propose a procedure for bounded determinization of eNTA. 
Given an arbitrary strongly responsw^ eNTA A and a bound k, our algorithm 
computes a DTA D{A) in the form of a timed tree, such that every timed trace 
consisting of at most k observable actions is a trace in A if and only if it is 
a trace in D{A). It provides the basis for effectively implementing bounded 
refinement checking and test case generation procedures. 

Our concrete motivation behind determinizing the model was induced by 
our previous model-based testing approach [2]. This approach uses fault-based 
techniques for the test generation and needs to perform language-inclusion be¬ 
tween correct and faulty timed automata models. The language inclusion is 
implemented via SMT-solving and relies on deterministic models. Thus, the 
determinization enables the processing of a wider class of models and the re¬ 
striction to bounded traces does not pose a problem, as testing only considers 
finite traces. 

The proposed algorithms are performed in three steps: (1) we unfold the 
original automaton into a finite tree and rename the clocks in a way that only 
needs one clock reset per transition, (2) we remove the silent transitions from 
the tree, (3) we determinize it. Our determinization procedure results in a TA 
description which includes diagonal |9] and disjunctive constraints. Although 
non-standard, this representation is practical and optimized for the bounded 
setting - it avoids costly transformation of the TA into its standard form and 
exploits efficient heuristics in SMT solvers that can directly deal with this type 
of constraints. In addition, our focus on bounded determinization allows us to 
consider models, such as TA with loops containing both observable and silent 
transitions with reset, that could not be determinized otherwise. We imple¬ 
mented the procedure in a prototype tool and evaluated it on several examples. 
To our best knowledge, this is the first implementation of this type of procedure 

^In model-based testing, strong responsiveness is the requirement that there are no silent 
loops, otherwise the tester cannot distinguish between deadlocks and livelocks. 
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for timed automata. 

Running example. The different steps of the al¬ 
gorithms will be illustrated on a running example 
of a coffe-machine shown in Figure After insert¬ 
ing a com, the system heats up for zero to three 
seconds, followed by a beep-tone indicating its rea- 
dyness. Alternatively, if there is no coffee or water 
left, the beep might occur after exactly two seconds, 
indicating that the refunding process has started 
and the coin will be returned within four seconds. 

Heating up and graining the coffee together may 
only take between one and two seconds. Then the 
brewing process starts and finally the machine releases the coffee after one sec¬ 
ond of brewing. There is no observable signal indicating the transition from 
graining to brewing, thus this transition is silent. 

The rest of the paper is structured as follows: First, we give the basic defini¬ 
tions and notation of TA with silent transitions (Section]^. Then, we illustrate 
the first step of our procedure, the bounded-unfolding of the automaton and the 
renaming of clocks (Section^. This is followed by the second step, the removal 
of silent transitions (Section^ and the final step, our determinization approach 
(Section]^. Section [^summarizes the complexity of the different steps. In Sec¬ 
tion we evaluate our prototype implementation and in Section j^we address 
related work. Finally, in Section [^ we conclude our work. Complete proofs of 
the propositions and theorems can be found in the appendices. 


start 



Figure 1: Running exam¬ 
ple 


2 Timed Automata with Silent Transitions 

A timed automaton is an abstract model aiming at capturing the real-time 
behaviour of systems. It is a finite automaton extended with a set of clocks 
defined over K>o, the set of non-negative real numbers. We may represent 
the timed automaton by a graph whose nodes are called locations, which are 
defined through a set of upper bounds put on the clock values. These bounds are 
restricted to non-negative integer values. While being at a location, all clocks 
progress at the same rate. The edges of the graph are called transitions. Each 
transition may be subject to constraints, called guards, put on clock values in 
the form of integer inequalities. At each such transition an action occurs and 
some of the clocks may be reset. The actions take values in some finite domain 
denoted by E. Here we are dealing with the class of timed automata with an 
extended set of actions including also silent actions, denoted by e. hese are 
internal actions that are non-observable from the outside, and we distinguish 
them from the actions that are not silent and called observable actions. We call 
a TA without silent transitions fully-ohservahle. 

Let A be a finite set of clock variables. A clock valuation v{x) is a function 
u : A —)• IR>o assigning a real value to every clock x S A. We denote by 
V the set of all clock valuations and by 0 the valuation assigning 0 to every 
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clock. For a valuation v and d € ]R>o we define v + d to he the valuation 
{v + d){x) = v(x) + d for all x G X. For a subset AVst of X, we denote by 
v[Xrst] the valuation such that for every x G Xrst, v[Xrst][x) = 0 and for every 
X G X \ Xrst, 'v[Xrst]{x) = v{x). A clock constraint is a conjunction of 
predicates of the form x ^ n, where a; S A, n G N and ~ G {<,<,=,>,>}• 
Given a clock valuation n, we write v \= when v satisfies p. We give now a 
formal definition of (non-deterministic) timed automata with silent transitions. 

Definition 2.1 (eNTA) A (non-deterministic) timed automaton with silent tran¬ 
sitions A is a tuple {Q,qinit,^e,XQaccept), where Q is a finite set of 
locations and Qinit G Q is the initial location; S,. = E U {e} is a finite set of ac¬ 
tions, where E are the observable actions and e represents a silent action, that is 
a non-observable internal action; X is a finite set o/clock variables; T : L ^ LI 
is a mapping from locations to location invariants, where each location invari¬ 
ant li G LI is a conjunction of constraints of the form true, x < n or x < n, 
with X G X and n G N; C/ is a set of transition guards, where each guard is a 
conjunction of constraints of the form x ^ n, where x G X, ~ G {<,<,=,>,>} 
and nGN;T Q x x Q x V {X) x Q is a finite set of transitions of the 
form {q,a,g,Xrst,<l'), where q,q' G Q are the source and the target locations; 
a G Eg js the transition action; g G Q is the transition guard; Xrst Q X is the 
subset of clocks to be reset; Qaccept Q is the subset of accepting locations. 

Example 2.1 For the eNTA illustrated in we have Q = {qo,..., q^}, 

Qinit = qo, Ej = {e, coin, beep, refund, coffee}, A = {x}, I{qi) = true\qi G Q, 

G = {0 < x < 3, X = 2, X < 4,1 < X < 2,x = 1}, Qaccept = {qo}- T is the set 
containing all transitions, e.g. the transition from q 2 to q^, with a = e (thus, it 
is a silent transition), g = 1 < x < 2 and Xrst = { 2 ^}. 

The semantics of an eNTA A is given by the timed transition system [[A]] = 
}S, Sinit,^'>0,^e,di', S accept), where S — }}q,v) G Q X V I X I — T(^q)}, Sinit — 
ilinit, 0); T C S X (EgUK>o) x S' is the transition relation consisting of timed and 
discrete transitions such that: Timed transitions (delay): {{q, v), d, (q, v + d)) G 
T, where d G K>o, if v-\-d \= F{q); Discrete transitions (jump): {(q, v),a, {q', v')) G 
T, where a G E, if there exists a transition [q, a, g, Xrst, q') in T, such that: (1) 

X ^ 5 ; (2) v' = v[Xrst] and (3) x' ^ T{q') ; ^accept C S such that (q, x) G Saccept 
if and only if g G Qaccept- 

A finite well-behaving run p of an eNTA A is a finite sequence of alternating 
timed and discrete transitions, that ends with an observable action, of the form 

(go,no) (go,xo + di) ^ (gi,xi) (g„_i,x„_i + d„) ^ (gn,n„), 

where go = qinit, no = 0, n = (gi_i, a*, g*, g*) G T and at G E. In this 

paper we consider only finite and well-behaving runs. A run p is accepting if 
the last location g„ is accepting. The run p of A induces the timed trace a = 
(ti,ai), (t2, 02 ), ■ • •, (tn, ctn) defined over E^, where ti = Yt^idi. From the latter 
we can extract the observable timed trace, which is obtained by removing from 
cr all the pairs containing silent actions while taking into account the passage of 
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time. A TA is called deterministic if it does not contain silent transitions and 
whenever two timed traces are the same then they are induced by the same run. 
Otherwise, the TA is non-deterministic. The language accepted by an eNTA 
A, denoted £(A), is the set of observable timed traces induced by all accepting 
runs of A. Note, that the restriction to well-behaving runs is compatible with 
the definition of the language of the automaton, where silent actions that occur 
after the last observable action on a finite run are ignored. As a consequence, 
a location with in-going edges consisting of only silent transitions cannot be an 
accepting location. 


3 /c-Bounded Unfolding of Timed Automata 


Given an eNTA A which is strongly responsive, its fc-prefix language £fc(A) C 
£(A) is the set of observable timed traces induced by all accepting runs of A 

which are of observable length 
bounded by k. That is, 

'2/c(A) = {w G £,{A) I |w;| < k}. (1) 

By unfolding A and cutting it at ob¬ 
servable level k, the resulting TA, 
Uk{A), satisfies 

£(17fe(A)) =£fe(A). (2) 


Uk{A) is in the form of a finite 
tree, where each path that starts at 
the root ends after at most k ob¬ 
servable transitions, and we may also 
further cut A by requiring that all 
leaves are accepting locations. Note, 
that if we reach in Uk{A) a copy of 
an accepting location q of A by a silent transition then it will not be marked 
as an accepting location (but another copy might be marked as an accepting 
location if reached by an observable transition). 

Figurej^a) shows the unfolding of the coffee-machine up to observable depth 
three. The left branch is longer than the right, as it contains a silent transition. 



Figure 2: Unfolding and clock renaming 


3.1 Renaming the Clocks 

Every unfolded timed automaton can be expressed by an equivalent timed au¬ 
tomaton that resets at most one clock per transition. This known normal form 
[ 1 ] crucially simplifies the next stages of our algorithm, where we do not need 
to bother with multiple clock resets in one transition. The basic idea is to sub¬ 
stitute the clocks from the original automaton by new clocks, where multiple 
old clocks reset at the same transition are replaced by the the same new clock. 
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as they measure the same time until they are reset again. The substitution 
of the clocks works straight forward: At each path from the root, at the z-th 
observable transition, a new clock Xi is introduced and reset, and if this tran¬ 
sition is followed by Z > 0 silent transitions then new clocks Xi^,... ^Xi^i-i are 
introduced and reset. A clock x that occurs in a guard is substituted by the new 
clock that was introduced in the transition where the last reset of x happened, 
or by xq if it was never reset. Let Ti and Tj be two transitions on the same path 
in the original automata at observable depth s.t. i < j. Furthermore, a 
clock X appearing in the guard of r^, is reset before in Ti, but is not reset on 
any transition in between Ti and Tj. Then, Xi is introduced and reset at Ti and 
the original clock variable x is substituted by Xi in the guard of Tj. Figure [^b) 
illustrates the clock renaming applied to the coffee machine. In the guards of 
the two feeep-transitions starting at gi, x is replaced by xi, since the last reset 
of X in the original automata was at depth one, while in the cojffee-transition 
from 53 it is replaced by 2 : 2,01 as x was reset in the first silent transition after 
depth two. 


4 Removing the Silent Transitions 

In this section we give an algorithm that removes the silent transitions from the 
eNTA A, which is in the form of a finite tree with renamed clocks. Thus, at 
each level i there will be a single clock Xi reset on all transitions of that level. 
Algorithm [ 1 ] shows the workflow and Figure [^illustrates the general idea. 




Figure 3: Bypassing the silent transition 

We remove the silent transitions one at a time, where at each iteration we 
remove the first occurrence of a silent transition on some path from the root, 
until no silent transitions are left (e.g. we can pick a path and move one-by- 
one all its silent transitions, then move to another path, and so on). So, let 
Tsfi be such a first silent transition found by Line 2 of the algorithm, leading 
from location to location qs^ with guard gs^ and reset of clock Xs,o. Let gg 
be reached from location gg-i with an observable transition Tg and with guard 
Qg. The case where gg is the initial location is simpler, as it does not require 
building a bypass transition. In order to remove the silent transition Tg^o after 
forming a transition that bypasses it, several steps are carried out, that will 
be explained in detail in the following subsections. First, we set an auxilliary 
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lower bound on the clock that is reset on the silent transition by updating the 
guard (Line 3). Then, we create the bypass transition using an enabling guard 
eg{Tsfi) which represents the upper bound until when the silent transition 
is enabled (Line 4). In Line 5 we construct a taken guard tg{Tsfi) that ensures 
that the transitions from q come after the necessary delay that is forced by 
the silent transition. The taken guard is added to all transitions leaving Qs^. 
Finally, in Lines 6-7, we remove the silent transition Ts,o and update all future 
guards referring to the deleted clock Xs^o- 

4.0.1 Setting a Lower Bound to the Silent Transition. 

We set a lower bound to the silent transition by 
augmenting the guard of Ts^ to be 5 ' q = 
9s ,0 7\ (0 < Xs), where Xs is the clock that is re¬ 
set on the transition Ts that precedes the silent 
transition, thus ensuring that when referring to the 
guard of the silent transition we do not refer to an 
earlier time. This additional constraint per defi¬ 
nition always evaluates to true, but it is used in 
the next step to compute the unary constraints of 
the enabling guard. The guard of the silent transi¬ 
tion in Figure (b) after setting the lower bound 
is 1 < xi < 2 A 0 < a; 2 . 

4.0.2 Creating a Bypass with the Enabling 
Guard. 

The enabling guard eg{Ts,o) guarantees that each 
clock’s constraint that was part of the silent transition is satisfied at some non¬ 
negative delay and that these constraints are satisfied simultaneously, thus at 
some point during the bypass transition the silent transition would have been 
enabled as well. We describe here how the enabling guards are defined for 



Figure 4: Fully observable 
non-deterministic TA 


Algorithm 1 Removing the Silent Transitions 

Input: A G eNTAfc in the form of a tree of observable depth k with renamed 
clocks 

Output: 0{A) G NTAfc, such that £(0(A)) = £(A) 

1: while there are silent transitions do 
2: Find first (from root) silent transition 0 from qg to 

3: Set lower bound to the silent transition 

4: Create bypass transition with enabling guard 

5: Augment transitions from qg^o with taken guard 

6: Update guards on paths from qg^o 

7: Remove Ts^o 

8 : end while 
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Silent Trans. Constraints 

Clock Reset 

Enabling Guard Constraint 

(mi < Xi) A {xj < Uj) 

Xs 

Xj — Xi < Uj — mi 

(mg < Xg) A {xj < Uj) 

Xs 

Xj < Uj — ms 

{mi < Xi) A (xg < rig) 

Xs 

mi - ns < Xj 

{mi < Xi) A {xj < Uj) 

Xs 

Xj — Xi < Uj — mi 

{mi < Xi) A {xj < Uj) 

Xs 

Xj — Xi < Uj — mi 

{mi < Xi) A {xj < Uj) 

Xs 

Xj — Xi < Uj — mi 

{mi = Xi) A {xj = Uj) 

Xs 

Xj — Xi = Uj — rrii 


Table 1: Enabling guard constraints 

strict inequalities, as shown in the upper part of Table The other cases are 
dealt similarly, as seen in the table, and the constraint Xi = rii is treated as 
Tii < Xi < rii. For every pair of a lower bound constraint rrii < Xi and an upper 
bound constraint Xj < rij, where i j and Xi^Xj ^ Xs (xs is the clock that is 
reset at r^), that appear in g' q we form the enabling guard binary constraint 
Xj — Xi < rij — rrii as shown in the first line of Table 

The next two lines consider constraints that involve the clock Xs, where 
Xs will be removed as it is the clock that will be reset on the bypass and is 
considered of value 0. Note, that for each upper bound constraint Xj < rij we 
use the lower bound constraint 0 < Xg that was added in the previous step of 
the algorithm to compute the enabling guard unary constraint Xj < rij^ which 
guarantees that at the time of the bypass Xj does not pass its upper bound 
constraint of the silent transition. An example of such a unary constraint is 
marked in red in the transition from <71 to 53 in Figure]^ The silent transition 
in the original automaton could not have been enabled if xi had already been 
higher than two after the 6 eep-transition, thus the bypass can also only be 
enabled while xi is smaller than two. The running example does not contain 
any binary constraints. 

To create the bypass, we split the paths through qs in the original automaton 
A into two. Those that do not take the silent transition Tsfi continue as before 
from qs-i to qs and then to some location different from q- The paths that 
went through Ts,o are directed from qs-i to qsfi and then continue as before. The 
bypass r' from qs-i to qs^ has the same observable actions as those of Tg, the 
same new clock reset Xg, and the guard q' which is the guard gs of Tg augmented 
with the enabling guard egljsfl) (see Figure]^. Figureshows the removal of 
the silent transition illustrated on the coffee-machine. The transition from qi to 
53 is the bypass and the transition from qi to 52 is the original transition. Since 
the silent transition was the only transition leaving 52 , <l 2 does not contain any 
outgoing transitions anymore, once the bypass is generated. 

4.0.3 Augmenting the Taken Guard. 

For each transition from qg g to qg+i we augment its guard gs+i by forming 
g's+i = 9s+i A tg{Tsfi) (see Figure]^, where tg{Tsfi) is the taken guard. tg{Tsfi) 
is composed of a single constraint: 0 < Xg_ 0 ) where Xs,o is the clock that is 









reset at the silent transition T^fi. In the next stage of the algorithm of updating 
the future guards it will be transformed into the conjunction of the lower bound 
constraints rrii < Xi or rrii < Xi that appear in g' q. These constraints make sure 
that we spend enough time at Q before moving to the next locations, as if we 
had taken the silent transition. The constraint is also used for synchronization 
of the future guards in the next step. In Figure the red-marked part of the 
guard from transition 53 to shows the taken guard that has already been 
updated from 0 < 0:2,0 to 1 < a;i. 


4.0.4 Updating the Future Guards. 

The removal of the silent transition Ts,o enforces updating of the guards in the 
paths that start at qs^ and that refer to the clock Xsfi^ that is reset on the 
silent transition. The most simple case is when the the silent transition guard 
g'g Q contains an exact constraint Xi = rii, because then any future constraint of 
the form a;s,o I can be replaced by a;^ ~ -I- L So, let us assume that the 

silent transition does not contain an exact constraint. The rules for updating 
the future guards are summarized in Table Note, that an equality constraint 
Xs,o = ns+j in a future guard may be treated as Ug+j < Xg^ < Ug+j. 

Let gg^i,..., gg^p be the ordered list of guards of consecutive transitions 
Tg+i,... jTg^p along a path that starts at qg^. Then, if gg^j contains the con¬ 
straint TOs_|_j < Xgfi, it is replaced by the conjunction of constraints mi + rrig+j < 
Xi, for each constraint rrii < Xi that appear in g' g. Similarly, for upper bound 
constraints. In Figure one future guard was updated in the transition from 
93 to qQ-. The original guard of this transition was 0:2,0 = 1 (where 0:2,0 was reset 
on the silent transition) and the guard of the silent transition was 1 < 0:1 < 2 . 
Thus, according to the update rules, the updated future guard is 2 < 0:1 < 3 
(written in black), conjuncted with the taken guard (marked in red). 

These rules ensure that each future con¬ 
straint on the clock Xg^ separately conforms 
to and does not deviate from the possible 
time range of the silent transition. Yet, 
we need to satisfy a second condition: that 
along each path that starts at 9^,0 these fu- 


Silent Trans. Constr. 

Future Constr. 

Replaced Constr. 

rrii < Xi, {Xs.o} 

rrig+j < Xgfi or rng+j < Xg^o 

rrii + mg+j < Xi 

rrii < Xi, {Xs.o} 

'^s-\-j ^s,0 

rrii + mg+j < Xi 

rrii < Xi, {Xs.o} 

'^s-\-j ^ ^s,0 

rrii + mg+j < Xi 

Xi < n^, {a:s,o} 

Xg 0 ^s,0 — 

Xi Tii Hg^j 

Xi < rii, {a:s,o} 

^s,0 

Xi Tii “t“ Tlg^j 

Xi < rii, {a:s,o} 

^s,0 ^ 

^ “t“ Tlg^j 


^s,0 

Xi ~ Tii 7 Zg|j 


1 < a;o < 2 xo,i = 2 a:o,i = 4 


Start ^ 90 J-—W 9i j > ( 92 J > f 93 j 

3<xo<4 5<xo<6Axi=2 

{^1} {^2} 

start —>{ 9i )- —>{ 92 )-—>{ 93 


Figure 5 : Guard synchronization 


Table 2 : Update rules for future guards after removing the silent transitions 
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Constr. of gg+j 

Constr. of gg+„ i < j 

Sync. Constr. of gg+j 

^s-\-j ^S,0 


7Tls-\-j ^S+Z ^S+Z 



TTls-\-j 


^s,0 — 

^s+z ^ ^s+z 

^S,0 

nig+i < Xg^o or ki < Xg^ 

^s+z ^s+z 

^S,0 — 

^s+i ^s,0 

^s+z ^^s+z 

^s,0 ^ '^s-\-j 

^ ^s,0 

^s+z ^ ^^s+z 

^s,0 — 

^s,0 — 

^S+Z — ^s-\-j ^s + z 


Table 3 : Synchronization constraints for future guards after removing silent 
transitions 

ture occurrences of Xs.o are synchronized. 
This is achieved by augmenting the future 
guards with constraints of the form that appear in Table No transition in 
our running example needs synchronization, hence we use a different example: 
the upper automaton in Figure shows one silent transition followed by two 
observable transitions. Using only the previous update rules when removing 
the silent transition, the first observable transition might occur between three 
and four seconds, and the second one between five and six seconds. If the first 
transition occurs after three seconds and the second one after six, this would not 
conform to the original automaton which required exactly two seconds between 
them. Thus, applying the last synchronization rule of Table the constraint 
X\ = 4 — 2 is conjuncted to the second guard. The lower automaton in Figure [ 5 ] 
illustrates the synchronization. Note, we do not need a bypass transition here, 
since the silent transition starts in the initial state. 

4.0.5 Removing the Silent Transition. 

Finally, we can safely remove the silent transition Ts^ from qg to qg^ after 
forming the bypass from qg-i to qg^ with the necessary modifications to the 
transition guards. 

Theorem 4.1 (Silent Transitions Removal) £(0(A)) = £(A). 

5 Determinization 

Existing determinization algorithms (as e.g. applied in m) create the pow- 
erset of all transitions to be determinized, and build one transition for each 
subset in the powerset. We propose an alternative approach, that reduces the 
amount of locations and transitions in the deterministic automata, by shifting 
some complexity towards the guards. Our motivation is the use of SMT solvers 
for verifying the timed automata models. The larger guards can be directly 
converted into SMT-LIB formulas, and thus should not pose a problem. 

The approach works under the following prerequisites: After the removal of 
the silent transitions the timed automaton A is in the form of a tree of depth k. 
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coffee 
2 < xi < 3A 
1 < Xl A 
0 < XI — 12 < 3A 

Xi — X2 < 2 

{^3} 



coffee 
2 < xi < 3A 
1 < xiA 
0 < XI — X2 < 3A 

Xi — X2 < 2 



Figure 6: (a) Modified guards added to future tran¬ 
sitions (b) determinization via disjunction 


At each level i the same new clock Xi is reset on each of the transitions of that 
level. This is the only clock reset on this level, and no clock is ever reset again. 

The basic idea be¬ 
hind the determinization 
algorithm is to merge 
all transitions of the 
same source location and 
the same action via dis¬ 
junction, and to push 
the decision which of 
them was actually taken 
to the following transi¬ 
tions. The postponed 
decision which transition 
was actually taken can 
be solved later on by 
forming diagonal con¬ 
straints (as in zones) that are invariants of the time progress, and are con- 
juncted to immediately following transitions. Note that the distinction between 
accepting and non-accepting locations increases complexity slightly: the deter¬ 
minization of transitions leading to accepting locations and transitions leading 
to non-accepting locations can not be done exclusively by disjunction of their 
guards. We therefore need to add an accepting and a non-accepting location 
to the deterministic tree, and merge all transitions leading to non-accepting 
locations and all transitions leading to accepting locations separately. To en¬ 
sure determinism for these transitions, we conjunct the negated guard of the 
accepting transition to the guard of the non-accepting transition. 

A pseudo-code description is given in Algorithm The determinization is 
done in several steps applied to every location q with multiple outgoing tran¬ 
sitions with the same action (Line[^, starting at the initial location (Line[^. 
Let Qi be such a location with multiple a transitions (Line[^. First, we add an 
accepting and a non-accepting location Qacc, q^acc replacing the target locations 
of the multiple a transitions (Line[^. Then, for each in the a transitions with 
guard g from qi to qi+i, let g' be the result of subtracting the clock Xi+i that is 
reset on from all clocks that appear in g (Lines [9p^. Next, g' is conjuncted 
to the guards of each transition Ti+i that follows and the source location of 
Ti+i is set to either qacc or q^aca depending on whether is accepting or not. 
Transitions leaving q^acc are additionally copied to qacc in case the guards of a 
transitions overlap. (Lines [l4|15 ). Note that g' evaluates to true in every branch 
below Ti if Ti was enabled, thus the conjunction does not change the language of 
the automaton. Figure [^a) illustrates the conjunction of the modified guards 
on our running example, marked in red. Note that the determinization did not 
involve any accepting locations, thus there was no splitting into qacc and q^acc- 
Next, all the a-transitions from q leading to accepting locations are merged into 
a transition leading to qacc (Line 221 and all others into a transition leading 
to 9 ^acc(Line 23), by disjuncting their guards (Lines 18|19). The guard of the 
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transition leading to q^acc is conjuncted to the negation of the other guard, to 
ensure determinism (Line [2^ . Finally, all merged and their target locations 
can be removed (Line[20|. Figure |^b) shows the determinized coffee-machine. 


Algorithm 2 Guard-Oriented Determinization 


Input: A G NTAfc in the form of a tree of depth k with renamed clocks 
Output: D{A) € TAfc, such that £,{D{A)) = 2,{A) 
l. P -G- {{Qinit, 0)} 

2: while P 7 ^ 0 do 

3: Pick i) g P; P ^ P\{qz, i) 

4: for each a gTj do 

5: if 3 Ti{q,,a,gi,{xi+i},qi) ^ T2{qi,a,g2,{xi+i},q2) then 

6: gacc ^ false] g^acc t falsC 

7: Add new locations qacc, q^acc 

for each transition Ti{qi,a,gi+i,{xi+i},qi+i) do 
g' ^ 9i+i 


9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 

26 

27 

28 
29 


for each clock Xj in gi+i do 
g' G- g'[xj := Xj - x,+i] 

end for 

for each transition Ti+i(q'i+i, ,5, 5 ^+ 2 , { 0 :^+ 2 }, 9 ^+ 2 ) do 
Add Tacciqacc, 13, igi+2 A g'), {a;i+ 2 }, 9 ^+ 2 ) 

Add T^acciq^acc, 13, igi +2 A g'),{Xi+ 2 }, qi+ 2 ) 
Remove r^+i 

end for 

if acceptingiqi+i) then gacc G- gacc V gi+i end if 
if ^acceptingiqi+i) then g-,acc G- g^acc V gi+i end if 
Remove and 9^+1 

end for 

Add transition Tacciq^,a,gacc,{x^+l},qacc) 

Add transition r^acdqi, a, {g^acc A ^gacc), {a^i-i-i}, q^acc) 

end if 
end for 

for each transition Tiiqi,a,gi+i, {xi+i},qi+i) do 
P ^ P U {qi+i,i + 1) 

end for 
end while 


Theorem 5.1 (Determinization) The determinization algorithm constructs 
a deterministic timed automaton P(A) such that i2(P(A)) = ^(A). 


6 Complexity 

Bounded Unfolding. We unfold the timed automaton A into a tree and cut 
it when reaching observable level k. Let us assume that the tree is of depth K, 
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K > k, and of size N = 0{d^), with d > 1 representing the approximate out- 
degree of the vertices in the graph of A. Since the analysis of the SMT solvers 
for different applications requires the exploration of all the transitions in the 
unfolded graph of A, the unfolding stage of our algorithm does not necessarily 
increase the overall time complexity of the algorithm. 

Removing Silent Transitions. Our algorithm does not increase the size of 
the tree since we only substitute the silent transitions by the bypass transitions. 
We do add, however, constraints. The number of enabling-guard constraints 
that we add to each bypass transition is of order 0{K'^). Each updated future 
constraint is of order 0{K) (including on-the-fly simplification, so that each 
clock has at most one lower and one upper bound), and each future transition 
may be updated at most 0{K) times. Hence, the updating step is also of or¬ 
der 0{K^), and the complexity of the whole algorithm is 0{NK^). Note, we 
do not need to transform the diagonal constraints introduced in the algorithm 
into unary constraints, nor do they introduce problems in the next algorithm of 
determinization. 

Determinization decreases the size of the unfolded automaton, if non-deter¬ 
minism exists. The complexity gain can be exponential in the number of lo¬ 
cations and transitions, but is lost by a proportional larger complexity in the 
guards. 

7 Implementation and Experimental Results 

The algorithms were implemented in Scala (Version 2.10.3) and integrated into 
the test-case generation tool MoMuT:: taQ providing a significant increase in 
the capabilities of the tool. MoMuT::TA provides model-based mutation testing 
algorithms for timed automata [5], using UPPAAL’s [T3] XML format as input 
and output. The determinization algorithm use the SMT-solver Z3 [TUI ^r 
checking satisfiability of guards. All experiments were run on a MacBook Pro 
with a 2.53 GHz Intel Core 2 Duo Processor and 4 GB RAM. 

The implementation is still a prototype and further optimizations are planned. 
One already implemented optimization is the ” on-the-fly” execution of the pre¬ 
sented algorithms, allowing the unrolling, clock renaming, silent transition re¬ 
moval and determinization in one single walk through the tree. The combined 
algorithm does not suffer from the full exponential blow-up of the unfolding: 
if the automaton contains a location that can be reached via different traces, 
yet with the same clock resets, the unfolding splits it into several, separately 
processed, locations, while the on-the-fly algorithm only needs to process it once. 

The following studies compare the numbers of locations and the runtimes of 
a) the silent transition removal, b) a standard determinization algorithm that 
works by splitting non-deterministic transitions into several transitions that 
contain each possible combination of their guards, c) the new determinization 
algorithm introduced in Section and d) its on-the-fly version. 

^https://momut.org/?page_id=355 


13 



0 

[)< X < 1 


0 

0 < X < 1 


X > 0 


start 


start 


start 



X = 1 

{i} 


(a) 



(b) 



X > 0 



(d) 


Figure 7: The four timed automata used in Study 1 and Study 2 


Study 1. The first example, taken from Diekert et al. m, is the timed au¬ 
tomaton illustrated in Fig.J^(a), which cannot be determinized. We then added 
another a-transition (Fig. IW(b)), which causes non-determinism after removing 
the silent transition. The test results are shown in Table (before and after 
modification). 

Study 2. The second example is taken from Baier et al. [1] and is illustrated in 
Fig. [7 c). We modified the automaton by adding a silent transition (Fig.j^d)). 
Table ^ shows the results of the two determinization approaches. 

Study 3. This study is part of a model of an industrial application: it is 
based on a car alarm system that was already used as an example in our work 
on model-based mutation testing from timed automata (see [5] for the whole 
model). In this evaluation, we introduced a silent transition that adds a non- 
deterministic delay of up to two seconds before the timer of the alarm starts, 
and our results are given in Table We were able to perform the removal of 
silent transitions and the guard-oriented determinization up to depth 12, and 
the location-oriented determinization up to depth 8. 

As expected, the studies confirm that the complexity of the different algo¬ 
rithms depends vastly on the input models. For the current paper we picked 
two small examples that were introduced in previous papers on determinization 
and one example that was an industrial use case in a previous project. Our 


Depth 

Number of locations 

Runtime (sec.) 


unfolded 

std. det. 

new det. 

on-the-fly 

e-removal 

std. det. 

new det. 

on-the-fly 

2 

8 

7 

7 

7 

0.1 

0.3 

0.1 

0.1 

5 

78 

63 

63 

63 

0.4 

0.5 

0.4 

0.2 

9 

1,278 

1,023 

1,023 

1,023 

16,011.2 

6.7 

7.2 

1.0 

2 

9 

8 

8 

8 

0.2 

0.2 

0.2 

0.1 

5 

177 

135 

84 

63 

0.8 

0.9 

1.3 

0.7 

9 

8,361 

4,364 

3,609 

1,023 

20,969.0 

71.2 

88.3 

9.6 


Table 4: Runtime and number of locations for the automata of Fig. [^ (a) (first 
three rows) and Fig. [^(b) (last three rows) 
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Depth 

Number of locations 

Runtime (sec.) 


unfolded 

std. det. 

new det. 

on-the-fly 

e-removal 

std. det. 

new det. 

on-the-fly 

2 

5 

5 

4 

4 

- 

0.1 

0.1 

0.1 

5 

11 

10 

8 

8 

- 

0.2 

0.3 

0.1 

10 

21 

21 

16 

16 

- 

0.3 

0.3 

0.1 

25 

51 

50 

38 

38 

- 

0.5 

0.9 

0.2 

50 

101 

100 

76 

76 

- 

0.7 

391.6 

0.3 

2 

5 

5 

4 

4 

0.1 

0.1 

0.1 

0.01 

5 

24 

26 

8 

8 

0.2 

2.1 

0.4 

0.3 

10 

140 

661 

16 

16 

0.5 

1,945.1 

2.1 

0.5 


Table 5: Runtime and number of locations for the automata of Fig. (c) (first 
three rows) and Fig. [^(d) (last three rows) 


next step will be a stronger evaluation on a larger case study. The tool and the 
current examples are availably 


8 Related Work 

The main inspiration to our work comes from and [1]. Berard et al. show 
that silent transitions extend the expressive power of TA and identify a sub-class 
of eNTA for which silent transitions can be removed. By restricting our selves to 
the bounded setting, we can remove silent transition of all strongly-responsive 
eNTAs. In addition, our approach for removing silent transitions preserves diag¬ 
onal constraints in the resulting automaton, thus avoiding a potential exponen¬ 
tial blow-up in the size of its representation (see [3] for the practical advantages 
of preserving diagonal constraints in TA). Baier et al. [3] propose a procedure 
for translating NTA to infinite DTA trees, and then identify several classes of 
NTA that can be effectively determinized into finite DTA. In contrast to our 
work, their procedure works on the region graph, which makes it impractical 
for implementation. In addition, we also allow in our determinization procedure 
disjunctive constraints which results in a more succint representation that can 
be directly handled by the bounded model checking tools. Both [S] and [1] tackle 

^https://momut.org/?page_id=394 


Depth 

Number of locations 

Runtime (sec.) 


unfolded 

std. det. 

new det. 

on-the-fly 

e-removal 

std. det. 

new det. 

on-the-fly 

2 

8 

8 

8 

8 

0.108 

0.2 

0.1 

0.0 

5 

153 

139 

83 

81 

0.4 

1.0 

0.8 

0.2 

8 

2,062 

1,973 

757 

739 

4.1 

129.0 

11.6 

0.9 

12 

78,847 

- 

14,009 

13,545 

10,592.3 

- 

4,832.1 

10.2 


Table 6 : Runtime and number of locations for the Car Alarm System [5], mod¬ 
ified by adding a silent transition causing a 0-2 seconds delay. 
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non-determinism and observabilty in TA from a general theoretical perspective. 
We adapt the ideas from these papers and propose an effective procedure for 
the bounded determinization of eNTA. 

Wang et. al El use timed automata for language inclusion. Their procedure 
involves building a tree, renaming the clocks and determinization of the tree. 
Contrary to our work, they do not restrict themselves to the bounded setting, 
thus taking the risk that their algorithm does not terminate for some classes of 
timed automata. Also, they use the ’’standard” determinization method that 
involves splitting non-deterministic transitions into a possibly far larger set of 
deterministic transitions, whereas we join them into one transition. 

Krichen and Tripakis m produce deterministic testers for non-deterministic 
timed automata in the context of model-based testing. They restrain the testers 
to using only one clock, which is reset upon receiving an input. The testers are 
sound, but not in general complete and might accept behavior of the system 
under test that should be rejected. Bertrand et al. [7] develop a game-based 
method for determinization of eNTA which generates either a language equiv¬ 
alent DTA when possible, or its approximation otherwise. A similar approach 
is proposed in in the context of model-based testing, where it is shown that 
their approximate determinization procedure preserves the tioco relation. In 
contrast to our approach, which is language preserving up to a bound k, and 
thus appropriate for bounded model checking algorithms, determinization in the 
above-mentioned papers introduces a different kind of approximation than ours. 


9 Conclusion 

The bounded setting allows the handling of a larger class of TA and in a more 
efficient way than in the unbounded setting. The extension from standard unary 
constraints to diagonal and disjuncive constraints has a practical reason: it is 
more efficient to let the SMT solvers deal with them than to translate them into 
standard form. In this paper a novel procedure was presented, which transforms 
bounded, non-deterministic and partially-observable TA into deterministic and 
fully-observable TA with diagonal and disjunctive constraints. The procedure 
includes an algorithm for removing the silent transitions and a determinization 
algorithm. It was implemented, tested and integrated into a model-based test 
generation tool. Recently [1] we investigated ways of pruning the determinized 
tree, to reduce the state space of the unfolding. These appoaches look promising 
for applying the presented work to test-case generation in industrial studies. 
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10 Appendix A - Renaming of Clocks 


Algorithm 3 Renaming the Clocks 

Input: A G eNTAx, a tree of depth K and observable depth k, clocks X, 


\X\=n 


Output: A G eNTAif, clocks \X' 

= K, single clock reset per transition, 


same clock reset at same (observable, silent) level 

1 

Zi ^ 0 

t> observable (primary) level 

2 

I 2 i -1 

> silent (secondary) level 

3 

for i ^ 0 ,n — 1 do 


4 

X[i] G- Xq 

> Xq is reset at the initial location 

5 

end for 


6 

RenameClocks((?o, a, lijh) 


7 

procedure RenameClocks(( 7 , X, li, I 2 ) 

8 

for each t = (g, a, g, X^st, q') & trans{q) do 

9 

for * ^ 0 ,n — 1 do 


10 

g G- g[x, G- X[i]] 

> renaming the clocks in the guard g 

11 

end for 


12 

if a = e then 

t> silent transition 

13 

Z 2 ^2 + 1 


14 

X G- xi-^^i 2 t> the 

new reset clock in case of a silent trans. 

15 

else 


16 

ll i — li 1 


17 

I 2 < -1 


18 

a; Xij > the new reset clock in case of an observable trans. 

19 

end if 


20 

for * ^ 0 ,n — 1 do 


21 

if Xi G Xret then 


22 

X[i\ -(—a; 

> updating the clock substitution list 

23 

end if 


24 

end for 


25 

^rst ^ {^} 

0 updating the reset clocks of r 

26 

if Zi < A: then 


27 

RENAMECLOCKS(g', A, 1 

1 , 12 ) > recursive call with the target 


location 


28 

end if 


29 

end for 


30 

end procedure 



The concrete algorithm used for renaming of the clocks is presented in pseudo¬ 
code in Algorithm]^ The original clocks are Xq, ■ ■ ■, Xn-i- Each new clock has 
either one index (Zi) in case the transition in which it is reset is observable, or 
two indices (Jijh) in case of a silent transition. After the removal of the silent 
transitions stage we will be left with clocks with a single index and the same 
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clock reset for the same level of the tree. The vector X[0..n — 1] holds the clock 
substitution list: X\i] refers to the new clock that substitutes the original clock 
Xi- The the set of transition with source location q is denoted by trans{q). 


11 Appendix B - Proofs 


11.1 Proof of Theorem 4.1 [Silent Transitions Removal] 


Given a non-deterministic timed automaton with silent transitions A in the 
form of a finite tree, we need to show that our algorithm of removing the silent 
transitions results in an equivalent timed automaton, that is, £,{0{A)) = £(^). 
That is, we will show that if Al is the result of removing one first silent transition 
then A and A are equivalent: for every timed trace of A there is an equivalent 
timed trace of A and vice versa, in the sense that the corresponding observable 
timed traces are identical. 

We claim that by induction the proof of equivalence for a single removal of a 
first silent transition suffices to prove the theorem. First, there are only finitely- 
many silent transitions in A. Secondly, the removal of a silent transition does 
not change the form of the guards at the part of the automaton that contains the 
remaining silent transitions: the introduction of diagonal constraints happens 
only at the enabling guard and so the algorithm for removal of the next silent 
transitions remains the same. 

So, let Tg^o be a first silent transition on a path 7 that starts at the initial 
location. Let be from location qg to location qg^g, let qg-i be the location 
that leads to qg and let qg+i be a location that follows qg^o on the path. Let 
A be the automaton that results after removing r and performing the steps as 
in Algorithmic Clearly, for every run that does not pass through Tg^ there is 
an identical run in the other automaton. Thus, we restrict ourselves to runs 
though Tgfi. 


11.1.1 £(A) C £(A'). 

Let p be a run on A through 7 . We need to show that there exists a run p' on 
A with the same observable trace as of p. The run p' will go through the same 
locations and transitions as does p, except for the part qg_i, Tg, gg, Tg^Oj gs,o in A 
which will be replaced by the bypass gs-i, r', qgp in A as in Fig. [^ The dates 
of the transitions will also be the same, except for the silent transition that is 
missing in p'. That is, if tg, tg^ and tg+i are the dates of p at the transitions 
■^s) Ts,o silent transition) and Tg+i then the corresponding transitions of p' 
will take place at tg (the time of the bypass) and tg+i. 

Since p goes through Tg^Oi we know that by the time tg after the reset of 
clock Xg the guard pg^g of Tg^ is satisfied in some non-negative time. Thus, we 
know that each constraint of a clock Xj that appears in pg^g is satisfied at a non¬ 
negative delay, and that all these constraints can be satisfied simultaneously. 
So, first we need to show that the corresponding guard Pg = Ps A ep(rg^g) of 
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in p' is satisfied at the same time, that is, that the enabled guard eg^Tsp) is 
satisfied at tg. 

We will mostly restrict ourselves to strict inequalities, as the extension to the 
other cases (strict inequality versus weak inequality or weak inequality versus 
weak inequality) is straight forward. 

For each clock xj that is not reset at Tg (that is, j ^ s) and that appears 
with an upper bound constraint Xj < rij (or Xj < rij) at gg^ clearly the same 
constraint holds also at the not-later time tg. But that part is exactly what 
we have in eg{Tsfi) when comparing the upper bound constraint of Xj with the 
lower bound constraint of the reset clock Xg. Here the constraint in eg(Ts_o) 
is, in general, Xj — Xg < rij — nig, and since nig = 0 and Xg is reset at and 
replaced by 0 in the inequality the result is indeed Xj < Uj. 

In addition to the above unary constraints, we know that each upper bound 
constraint on clock Xj in gg^ refers to a time which is of greater delay than the 
delay needed to reach each lower bound constraint on clock Xi in gg Q, that is, 
nj — Xj > rrii — Xi at time tgp, otherwise these constraints couldn’t have been 
satisfied simultaneously in p. But this is indeed the constraint Xj — Xi< nj — rrii 
that appears in eg{Tgp). 

We have seen that all the constraints of eg{Tgp) are satisfied at time tg and 
so the constraint g'g of p' is satisfied at tg and the transition can be taken. 

The next step is to show that the transition with guard g'g^i of p' from 
location to location g^+i, as well as the next transitions j = 2,... ,p, 
with guards gg_^_j can be taken at the same dates <s+i on which are taken 
in p on guards gg+j, j = l,...,p. 

If the silent transition happens to be on an exact time: Xi = nt then the 
update of the future guards that refer to the clock Xg^g that was reset at Tg^g 
is clear: each occurrence of Xgp is replaced by Xi — ni, and we are done. So, 
suppose that there are no exact constraints at the silent transition. 

For simplicity we will restrict ourselves mostly to strict inequalities and write 
the guard g'g q of the silent transition Tgp as: 

g'gfl = 0<XgA f\ ni,<x,<n„ (3) 

2 —2,...,r 

where for some of the clocks Xi there may be only a lower bound or only an 
upper bound constraint. 

The constraints on Xgp at the transitions Tg+j, j = 1,... ,p contain 0 < Xgp 
in Ts+i and are of the general (strict inequalities) form mg+j < Xgp < ng+j in 
Tgj.j. The corresponding updated constraints of A! at time ts+j, j = 1,... ,p, 
are 

l\ + mg^j < Xi < Ui + ng+j. (4) 

First, we need to show that the taken guard tg{Tsp) is satisfied at time tg+i. 
The taken guard is the constraint 0 < Xgp. After the update of the future guards 
this constraint is replaced by the conjunction of all the lower bound constraints 
rrii < Xi oi g'g g. But since these lower bound constraints are satisfied at the 
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time tsfi of the silent transition (in p) then clearly they are satisfied at tg+i, 
ts+i > is.O) that is, the updated taken guard tgijsfi) is satisfied in p'. 

Let us look at the other updated future constraints. Since at the time of the 
silent transition Xs,q = 0 and rrii < Xi then at time when rus+j < x^fi we 
have TOi + rris+j < With a similar argument for the upper bound constraints, 
we see that the constraints of Q are satisfied in p'.. 

Also the part of the synchronization rules is clear since it refers to the pos¬ 
sible minimum and maximum time difference between every two transitions on 
which Xsfi occurs, and since the run p goes through these transitions it assures 
that these constraints can be satisfied. So, for example, the synchronization 
constraint rug+j — ng+i < Xg+i < Ug+j — that is added to the guard gg^j 
of Tg+j, refers to the time difference tg^j — tg^i between the transition Tg+i and 
the transition Tg+j, i < j. 

Note that the synchronization with the constraint 0 < Xg^ of Tg+i results in 
adding to Tg+j, j = 1 ,... ,p the constraint Xg+i < Wg+j, that is tg+j — tg+i < 
rig+j, which clearly is satisfied since tg+j — tg^ < Ug+j. 

We showed that the observable trace of p' is the same as that of p and this 
completes the proof of £(A) C £(A'). 

11.1.2 Z{A') C £(A). 

Let p' be a run on A' going through the bypass t^. We will show that there 
exists a run p through Tg_o in A with the same observable trace as of p'. 

The first thing we need to check is that the silent transition Tg^ can be 
taken, given that the enabling guard egijgfi) is satisfied at time tg. The unary 
constraints Xj < rij ( Xj < nj) of eg(Tg^o) guarantee that each of the constraints 
in the guard g'g q of the silent transition Tg^o can be satisfied separately at some 
time that is equal or is later than tg. Then, in order that all the constraints 
could be satisfied simultaneously, it suffices to show that the minimum upon 
the time delays to the upper bound constraints of the clocks appearing in g is 
greater than the maximum upon the time delays to the lower bound constraints 
in 5 ( 0 (the ’greater’ should be replaced by ’greater or equal’ in case both the 
maximum and minimum come from weak inequalities): 

mm(nj — Xj) > inax(mi — Xi). (5) 

J * 

But this condition is equivalent to the condition that Uj — Xj > rrii — Xi at time 
tg for every i, j, which is exactly the conjunction of diagonal constraints 

/y Xj — Xi < rij — rrii (6) 

of egijg^Q). 

Thus, we know that the silent transition Tg^g can be taken in the run p 
at some time tg^ after a delay oi M = maxi(mi — Xi) from tg (this delay is 
not negative since we introduced the constraint 0 < Xg) and before a delay of 
N = minj (nj -Xj). 
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It remains to show that the transitions Tg+i,..., T^+p on guards gs+i,..., <?s+p 
of p can be taken at the same dates ts+ij • • ■ j as the corresponding transi¬ 
tions on guards ... ^g's+p taken in p'. 

To be more specific, it suffices to prove that there exists with the follow¬ 
ing conditions: 

1. tg < tgfi < ts-i-i; 

2 . g'g g is satisfied at tg.o; 

3. the constraints on Xg^ are satisfied at tg-i-i, • ■ •, ^s-i-p, with Xg^o reset at 

ts,0- 

For condition 2. the constraints of g'g g that should be satisfied at time tgp 
are 

/\ rrii < Xi{tg^o) < m. (7) 

2 = 1 ,...,r 

Equivalently, at each time j = 1,... ,p: 

H” ^s-\-j ^s,0 ^ ^ ^s+i ^s,0; (S) 

2=1,...jT 


or, 


Tfli Xi{tg^j') -\-tg^j <C <C Tli Xiltgj^j') tg^j. (9) 


For condition 3. the constraints on Xg^ that should be satisfied at times 
tg+i,... ,tg+p are rrig^j < Xg^itg^j) < rig+j for j = The constraint 

here at time tg+i is 0 < a;s,o(ts+i) possibly conjuncted with other constraints (for 
convenience we wrote all constraints as strict inequalities). This is equivalent 
to 

/\ vrig+j < tg+j - tgfi < rig+j ( 10 ) 


or 






( 11 ) 


We need to show that the constraints on of and ( [II| ) do not define 
an empty set. This condition is equivalent to showing that the set Si of the 
above expressions to the left of tg ^ is smaller than the set S 2 of the expressions 
to the right of (equivalently that the maximum of Si is smaller than the 
minimum of 5 ' 2 ), where 


•S'! = {mi-Xi{tg+j)+tg+j I i = 1,... ,r, j = 1,... ,p)iJ{-ng+j+tg+j | j = 1,... ,p}, 

( 12 ) 

and 


S 2 = {ni-Xi{tg+j)+tg+j I i = 1,... ,r, j = 1,... ,p)yj{-mg+j+tg+j | j = 1,... ,p}. 

(13) 

There are two types of expressions in Si and two types of expressions in S 2 , 
hence we need to check that the following 4 cases are satisfied. 
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11.1.3 CclS0 ll TTij Xi{ts-\-j') ^ “t“ ^s-\-j'• 

This inequality is equivalent to 



TTli o) “1” ^s,0 ^ ^2'(^s,o) “1” ^s,05 

(14) 

or to 


m* - Xiitg^o) < ni> - Xi'{tg^o). 

(15) 

The latter is 

equivalent to 



Xi'{tg) - x^itg) < ni> - rrii, 

(16) 


which is ([^, the enabling guard egijsfi) that is satisfied at time ts of the run 
P' ■ 

11.1.4 Case 2. Tfii T ^s-\-j ^ T 

This inequality is equivalent to 

TTli Xi(^ts-\.j'') “t“ tg^jf <C TTlg-\-j' -\- tgj^y ^ (f^) 

TTli Xiitgj^jf^ <C (f^) 

rrii + rus+y < Xiitg+y). (19) 

The last inequality is no other than one of the left inequalities of Q, which are 
the updated future constraints in A' of the reset clock Xg,o, and thus are given 
to be satisfied. 

11.1.3 Case 3. Tig^jf ig-^j/ ^ ti^ x-ii^tg^j^ tg-^j^ 

This inequality is equivalent to 


^ “b 

But the last inequality is one of the right inequalities of Q, which are the 
updated future constraints in A of the reset clock Xg^o, and thus are given to 
be satisfied. 

11.1.6 Case 4: —ris+i + ts+i < —rug+j + tg+j. 

This inequality is equivalent to 

TTlg^j Hg-^i ^s+j ^s+i- 

The inequality certainly holds when i = j. When i < j we can write this 
inequality with the clock ccs+i that is reset at time tg+i in A'. 

ITlgj^j Hg-^i Xg-\.i(tg-\.j'). (^ 4 ) 
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But the last inequality can be found in the first row of Table which contains 
the synchronization constraints of the updated future constraints in A' of the 
reset clock Xs,o- 

Similarly, when j < i we need to satisfy the inequality 


^s+j ^s+j ^ ^s+i 


(25) 


which can be found in the forth row of Table [H 

We showed that the set of possible time values ts,o for the silent transition in 
p is not empty, that is, there is a solution to the set of inequalities ([^ and ( [TI] ) 
in the indeterminate ts,o (again, the extension to weak inequalities is straight 
forward). 

To complete the proof it remains to show that the solution for satisfies 
condition 1., that is that tg < ts,o < ts+i- Well, the left inequality tg < 
comes from satisfying the inequality rrii — Xi{tg^j) + tg^j < tg^Q of ([^ with 
Xi = Xg and rrii = rrig = 0 (it refers to augmenting the silent transition guard 
with the constraint 0 < Xg). This inequality is equivalent to 0 — Xg{tg)+tg < tg^ 
or tg < tg^o since Xg was reset at time tg. 

The right inequality comes from satisfying the inequality fg.o < —iTig+i+tg+i 
of (111 with nig+i > 0, that is, ts,o < ts+i- 


11.2 Proof of Theorem 5.1 [Determinization] 


The deterministic property of D{A) follows from the fact that when merging 
a-transitions into Tacc and r^acc then the guard of r^acc is a conjunction of some 
guard with the negation of the guard of Tacc- Hence, different runs will induce 
different time traces. 

In general, by merging locations of A in D{A) we may only expand the 
language and conclude that £(H) C £(Z1(H)). On the other hand, the new 
constraints introduced in D{A) may restrict the language. So, let us examine 
the new transformed constraints and show that they do not impose additional 
restrictions. Suppose the guard of transition r contains the constraint x n and 
that y is reset on r. Then, at the time to of r, the constraint a;(to) ~ vito) ~ n 
holds. But also at time ti > the constraint x{ti) — y(ti) ^ n holds since 
x and y progress at the same rate. Hence, for any run through r in H there 
exists a corresponding run in D[A) with the same trace because the additional 
constraints of the form x—y^n that are added to the future guards are satisfied 
automatically by all runs in D{A) that satisfy the guard of r. Thus, it remains 
£(H) C Z{D{A)). 

To show that the language of D{A) does not contain accepting traces that 
are not in the language of A it suffices to show that when a transition in a 
merged location of D{A) is enabled then the corresponding original transition 
in A is enabled. But this is indeed the case since for each transition of D{A) 
we first copy to its guard the transformed guard of the transition that leads to 
it, and this transformed guard contains all the history: the transformed guards 
of the path that leads to this transition. That is, by induction one shows that 
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since the record of paths of level n are passed to paths of level n + 1 then it 
holds for every level. 
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